427 Botnet fm qxd

Ip_src The IP address of the IRC host in question. ■ Tmsg

Download 6,98 Mb.

Pdf ko'rish

bet	238/387
Sana	03.12.2022
Hajmi	6,98 Mb.
	#878307

1 ... 234 235 236 237 238 239 240 241 ... 387

Bog'liq
Botnets - The killer web applications

Tprivmsg Total PRIVMSGS. ■ Maxchans Count of the number of channels this host has joined. ■ Maxworm

Ip_src
The IP address of the IRC host in question.
■
Tmsg
Total max IRC messages ( JOINS, PINGS, PONGS,
PRIVMSGS).
■
Tjoin
Total number of JOIN messages.
■
Tping
Total PING messages.
■
Tpong
Total PONG messages.
www.syngress.com
IRC and Botnets • Chapter 8
295
427_Botnet_08.qxd 1/8/07 4:10 PM Page 295

■
Tprivmsg
Total PRIVMSGS.
■
Maxchans
Count of the number of channels this host has joined.
■
Maxworm
This is a special form of the TCP work weight.This par-
ticular version of the TCP work weight is the maximum value seen
over all 30-second instances in the IRC summarization. It is also a
“weak” statistical measure. We will discuss it in more detail in a
moment.
■
Server?
The probe IRC module attempts to figure out if an IRC
host is an IRC client or IRC server.
S
stands for server and
H
stands
for host. Not all IRC protocols conform to the IETF standards;
sometimes you might see an IRC channel with all servers.This is not
unusual and is sometimes found with computer games using IRC.
■
Sport/dport
These are sampled IRC TCP source and destination
ports.This field may sometimes make obvious the destination port on
the server, which could be a useful thing to know. It is also a per-host
sample, so if the host is in multiple channels, it might be wrong. Look
for hosts in the channel that agree on the server port.
■
First_ts
This field is new. It shows the first time a host in an IRC
channel showed any IRC activity during the day.The timestamp is
based on a particular IP host in a channel, so the same host in a dif-
ferent channel might have a different timestamp.
How is the
TCP work weight
used in IRC summarizations? The IRC
summarization itself is pulling together a set of IP hosts found to be talking
inside a particular IRC channel. Let’s say we have two channels, one called
bark
and the other called
x0#
. Channel
bark
has 10 clients and one server.
Channel
x0#
has five clients and three servers. When we look at these two
channels in
channels with per host stats
we see that channel
x0#
has five clients,
all with TCP work weight values (maxworm) of 99. So from the big picture
this means we have a channel with all its clients scanning.The TCP work
weight is the maximum value of all work weights seen.The reason is that if
you have an outbreak of multiple bots it becomes pretty easy to spot that all
of them or most of them (the clients in channel
x0#
) are infected.This is
what the
evil channel report
is trying to show you. If you have a high work

Download 6,98 Mb.

Do'stlaringiz bilan baham:

1 ... 234 235 236 237 238 239 240 241 ... 387